{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,13]],"date-time":"2026-01-13T13:19:57Z","timestamp":1768310397144,"version":"3.49.0"},"reference-count":63,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","issue":"1","license":[{"start":{"date-parts":[[2026,1,1]],"date-time":"2026-01-01T00:00:00Z","timestamp":1767225600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/legalcode"}],"funder":[{"name":"CHAINS Project through Swedish Foundation for Strategic Research"},{"name":"Wallenberg Autonomous Systems and Software Program"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IIEEE Trans. Software Eng."],"published-print":{"date-parts":[[2026,1]]},"DOI":"10.1109\/tse.2025.3627891","type":"journal-article","created":{"date-parts":[[2025,11,3]],"date-time":"2025-11-03T18:44:48Z","timestamp":1762195488000},"page":"54-69","source":"Crossref","is-referenced-by-count":0,"title":["Causes and Canonicalization of Unreproducible Builds in Java"],"prefix":"10.1109","volume":"52","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-2263-7902","authenticated-orcid":false,"given":"Aman","family":"Sharma","sequence":"first","affiliation":[{"name":"KTH Royal Institute of Technology, Stockholm, Sweden"}],"role":[{"role":"author","vocab":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4015-4640","authenticated-orcid":false,"given":"Benoit","family":"Baudry","sequence":"additional","affiliation":[{"name":"Université de Montréal, Montréal, Canada"}],"role":[{"role":"author","vocab":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3505-3383","authenticated-orcid":false,"given":"Martin","family":"Monperrus","sequence":"additional","affiliation":[{"name":"KTH Royal Institute of Technology, Stockholm, Sweden"}],"role":[{"role":"author","vocab":"crossref"}]}],"member":"263","reference":[{"key":"ref1","volume-title":"Geth Rebuild: Verifiable Builds for Go Ethereum","author":"Andersson","year":"2024"},{"key":"ref2","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-023-10399-4"},{"key":"ref3","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE55347.2025.00136"},{"key":"ref4","article-title":"JVM-Repo-Rebuild\/Reproducible-Central","author":"Boutemy","year":"2024"},{"key":"ref5","article-title":"Canonical XML Version 1.1","author":"Boyer","year":"2008"},{"key":"ref6","article-title":"JVM \u2014 Reproducible-Builds.Org","year":"2024"},{"key":"ref7","article-title":"Solana JavaScript SDK backdoored to steal keys, funds","year":"2024"},{"key":"ref8","article-title":"JEP 223: New version-string scheme","author":"Clark","year":"2014"},{"key":"ref9","doi-asserted-by":"publisher","DOI":"10.1145\/3329781.3344149"},{"key":"ref10","doi-asserted-by":"publisher","DOI":"10.1145\/3722542"},{"key":"ref11","doi-asserted-by":"publisher","DOI":"10.1145\/1985441.1985468"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.1145\/2664243.2664288"},{"key":"ref13","article-title":"BinEq-A benchmark of compiled Java programs to assess alternative builds","author":"Dietrich","year":"2024"},{"key":"ref14","doi-asserted-by":"publisher","DOI":"10.1109\/icsme64153.2025.00058"},{"key":"ref15","article-title":"Reproducible builds and insights from an independent verifier for arch Linux","author":"Drexel","year":"2024"},{"key":"ref16","article-title":"Behind the Scenes: How do lambda expressions really work in Java?","author":"Evans","year":"2020"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1109\/sp46215.2023.10179320"},{"key":"ref18","article-title":"[JDK-4774077] use covariant return types in the NIO buffer hierarchy - Java bug system","author":"Gafter","year":"2002"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.1109\/MSR66628.2025.00062"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.1109\/icsme46990.2020.00071"},{"key":"ref21","doi-asserted-by":"publisher","DOI":"10.1109\/esem.2017.11"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1145\/3603110"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.1145\/3643764"},{"key":"ref24","article-title":"Integration of reproducibility verification with diffoscope in GNU Make","author":"Lagn\u00f6hed","year":"2024"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.1109\/ms.2021.3073045"},{"key":"ref26","article-title":"Supply-chain attack analysis: Ultralytics - The Python package index blog","author":"Larson","year":"2024"},{"key":"ref27","article-title":"Eclipse Temurin reproducible verification builds for secure supply chain validation","author":"Leonard","year":"2024"},{"key":"ref28","article-title":"A tale of several distros joining forces for a common goal: Reproducible builds","author":"Holger Levsen","year":"2025"},{"key":"ref29","article-title":"Reproducible Builds:Break a Log, Good Things Come in Trees","author":"Linderud","year":"2019"},{"key":"ref30","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-020-09926-4"},{"key":"ref31","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-022-10117-6"},{"key":"ref32","author":"Malka","year":"2025","journal-title":"How NixOS Could Have Detected XZ Supply-Chain Attack Benefit All Thanks to Reproducible-Builds"},{"key":"ref33","first-page":"775","article-title":"Does functional package management enable reproducible builds at scale? Yes","volume-title":"Proc. 22nd Int. Conf. Mining Softw. Repositories","author":"Malka","year":"2025"},{"key":"ref34","article-title":"Why getClass returns the name of the class + $1 (or $*)","year":"2016"},{"key":"ref35","article-title":"Guava artifacts are not bitwise reproducible $\\cdot$\u22c5 Issue #6321 $\\cdot$\u22c5 Google\/Guava","author":"Moore","year":"2023"},{"key":"ref36","article-title":"Java still rocks the finance industry","year":"2021"},{"key":"ref37","article-title":"Decentralized Validation of Reproducible Builds: A Protocol for Collaborative and Decentralized Validation of Package Reproducibility","author":"Moritz","year":"2023"},{"key":"ref38","doi-asserted-by":"publisher","DOI":"10.1145\/3460319.3464797"},{"key":"ref39","doi-asserted-by":"publisher","DOI":"10.1145\/3373376.3378519"},{"key":"ref40","doi-asserted-by":"publisher","DOI":"10.1109\/ctc.2013.9"},{"key":"ref41","article-title":"Deterministic builds part one: Cyberwar and global compromise","author":"Perry"},{"key":"ref42","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-032-00627-1_11"},{"key":"ref43","doi-asserted-by":"publisher","DOI":"10.1145\/3507657.3528537"},{"key":"ref44","doi-asserted-by":"publisher","DOI":"10.1109\/msr66628.2025.00026"},{"key":"ref45","article-title":"Jimple: Simplifying Java bytecode for analyses and transformations","author":"Vall\u00e9e-Rai","year":"1998"},{"key":"ref46","doi-asserted-by":"publisher","DOI":"10.1145\/3643991.3644913"},{"key":"ref47","doi-asserted-by":"publisher","DOI":"10.1145\/3180155.3180224"},{"key":"ref48","doi-asserted-by":"publisher","DOI":"10.1109\/ase.2019.00056"},{"key":"ref49","doi-asserted-by":"publisher","DOI":"10.1145\/3510003.3510102"},{"key":"ref50","article-title":"Synthetic Constructs in Java","author":"Rimenti","year":"2018"},{"key":"ref51","article-title":"Trends in Government Software Developers - Stack Overflow","author":"Robinson","year":"2017"},{"key":"ref52","article-title":"Java bytecode normalization for code similarity analysis","author":"Schott","year":"2024","journal-title":"In DROPS-IDN\/v2\/Document\/10.4230\/LIPIcs.ECOOP.2024.37. Schloss Dagstuhl \u2013 Leibniz-Zentrum F\u00fcr Informatik"},{"key":"ref53","article-title":"SBOM.EXE: Countering dynamic code injection based on software bill of materials in Java","author":"Sharma","year":"2024"},{"key":"ref54","doi-asserted-by":"publisher","DOI":"10.1109\/tse.2021.3092692"},{"key":"ref55","article-title":"JEP 280: Indify string concatenation","author":"Shipilev","year":"2024"},{"key":"ref56","doi-asserted-by":"publisher","DOI":"10.1109\/mc.2022.3175542"},{"key":"ref57","doi-asserted-by":"publisher","DOI":"10.1145\/3001878.3001882"},{"key":"ref58","doi-asserted-by":"publisher","DOI":"10.1145\/358198.358210"},{"key":"ref59","first-page":"13","article-title":"Soot - a Java bytecode optimization framework","volume-title":"Proc. Conf. Centre Adv. Stud. Collaborative Res. (CASCON)","author":"Vall\u00e9e-Rai","year":"1999"},{"key":"ref60","doi-asserted-by":"publisher","DOI":"10.1145\/3468264.3468592"},{"key":"ref61","doi-asserted-by":"publisher","DOI":"10.1145\/3714464"},{"key":"ref62","doi-asserted-by":"publisher","DOI":"10.1145\/3510457.3513050"},{"key":"ref63","article-title":"Automatic Building Of Java Projects On GitHub: A Study On Reproducibility","author":"Yasi","year":"2022"}],"container-title":["IEEE Transactions on Software Engineering"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx8\/32\/11346545\/11223991.pdf?arnumber=11223991","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,1,13]],"date-time":"2026-01-13T08:13:04Z","timestamp":1768291984000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/11223991\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,1]]},"references-count":63,"journal-issue":{"issue":"1"},"URL":"https:\/\/doi.org\/10.1109\/tse.2025.3627891","relation":{},"ISSN":["0098-5589","1939-3520","2326-3881"],"issn-type":[{"value":"0098-5589","type":"print"},{"value":"1939-3520","type":"electronic"},{"value":"2326-3881","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,1]]}}}